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Abstract. Akleylek et al. [S. Akleylek, L. Emmungil and U. Nuriyev, A mod- 
ified algorithm for peer-to-peer security, journal of Appl. Comput. Math., vol. 
6(2), pp. 258-264, 2007.], introduced a modified public-key encryption scheme 
with steganographic approach for security in peer-to-peer (P2P) networks. In 
this cryptosystem, Akleylek et al. attempt to increase security of the P2P 
networks by mixing ElGamal cryptosystem with knapsack problem. In this 
paper, we present a ciphertext-only attack against their system to recover 
message. In addition, we show that for their scheme completeness property 
is not holds, and therefore, the receiver cannot uniquely decrypts messages. 
Furthermore, we also show that this system is not chosen-ciphertext secure, 
thus the proposed scheme is vulnerable to man-in-the-middle-attack, one of 
the most pernicious attacks against P2P networks. Therefore, this scheme is 
not suitable to implement in the P2P networks. 

We modify this cryptosystem in order to increase its security and efficiency. 
Our construction is the efficient CCA2-secure variant of the Akleylek et al.'s 
encryption scheme in the standard model, the de facto security notion for 
public- key encryption schemes. 



1. Introduction 

The use of computer network is raised day by day. This increment causes the num- 
ber of nodes to increase. By increasing the client, the server becomes busy and 
insufficient although the bandwidths are high enough. Moreover, since the variety 
of requests is increased, servers may not have data the user needs. We can over- 
come these obstacles by using peer-to-peer (P2P) network. The P2P networks have 
become popular as a new paradigm for information exchange and are being used 
in many applications such as file sharing, distributed computing, video conference, 
VoIP, radio and TV broadcasting. The P2P networks did not have centralized 
servers; some powerful nodes act as server. The fourth generation supports streams 
over P2P networks and each node can talk with another. In these networks, since 
server has been decentralized and each node can directly communicate with other 
nodes, management and security become a most important problem. There are 
several ways to make P2P networks secure. Cryptography plays the most impor- 
tant role in each way. Cryptography is the art of keeping the data secure from 
eavesdropping and other malicious activities. Therefore, cryptographic algorithms 
are very essential in the P2P systems since they can uniquely protect message for 
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an individual, and verify its integrity. 

Due to peer-relying nature of the P2P networks, they are susceptible to many gen- 
eral attacks. Man-in-the-middle attack is one the most pernicious attacks against 
P2P networks. The man-in-the-middle attack is an indirect intrusion, where the 
attacker inserts its node undetected between two nodes. It is typically used for 
eavesdropping a public-key encrypted conversation to retrieve, modify or cut the 
information being sent by adopting some strategies and tricks. Therefore, the 
public-key encryption (PKE) scheme must resist against this type of powerful at- 
tack. Security against adaptive chosen-ciphertext attack (i.e., CCA2 security) [T7] 
is the strong security notion for a PKE scheme. This notion is known to suffice for 
many applications of encryption in the presence of active attackers — a man-in- 
the-middle adversary — including: secure P2P transmission, secure communication, 
auctions, voting schemes, and many others. In this scenario, the adversary has seen 
challenge ciphertext before having access to the decryption oracle. The adversary 
is not allowed to ask the decryption of the challenge ciphertext, but can obtain 
the decryption of any relevant ciphertext even modified ones based on the challenge 
ciphertext. A cryptosystem is CCA2-secure if the cryptanalyst fails to obtain any 
partial information about the plaintext relevant to the challenge ciphertext. The 
most cryptographic protocols cannot prevent chosen-ciphertext attacks mounted by 
a man-in-the-middle adversary who has full control of the communication channel 
between the sender and the receiver. Indeed, design efficient CCA2-secure encryp- 
tion scheme is a challenging problem in cryptography. 

In [2], Akleylek et al. introduced a modified algorithm with steganographic ap- 
proach for security in the P2P networks. In this cryptosystem, Akleylek et al. at- 
tempt to increase security of the P2P system by mixing ElGamal cryptosystem [8] 
with knapsack problem. The knapsack problem is a decision problem which is NP- 
complete [HI H21 E] . That is to say, this problem cannot be easily solved even 
using quantum computers. They use the ElGamal encryption scheme to disguise 
private knapsack (easy knapsack) in order to produce public key (hard knapsack). 
In this paper, we show that this combination leaks the security and makes the cryp- 
tosystem vulnerable to ciphertext-only attack. Any encryption scheme vulnerable 
to this type of attacks is considered to be completely insecure. In addition, we show 
that in most cases completeness property does not holds for their system. There- 
fore, the receiver cannot uniquely decrypts ciphertexts. Besides, their construction 
is deterministic and so each message has one primage. Therefore, an attacker can 
simply distinguish between decryptions of the two different messages. Hereupon, 
this encryption scheme does not satisfies indistinguishability (a.k.a semantic se- 
curity) against chosen ciphertext attackQ. Hence, in the network an attacker can 
apply these attacks and simply can recover plaintext from any challenge ciphertext. 
Thereupon, this scheme is not suitable for using in a P2P network. We propose 
a modification to this scheme in order to increase security, efficiency and usability 
for using in the P2P networks. Our construction is a CCA2-secure PKE scheme 
in the standard model, the de facto security notion for PKE schemes. The main 
novelty is that scheme's consistency check can be directly implemented by the sys- 
tem without having access to some external gap-oracle as in [21 S] or using other 
extrinsic rejection techniques [5J. 

Randomized encryption algorithm is a necessary condition for CCA2 security. Although 
randomness is necessary, it is not sufficient (see subsection l2.4l l. 
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1.1. Related works. In 1998, Cai and Cusick [5] proposed an efficient lattice- 
based public-key cryptosystem with much less data expansion by mixing the Ajtai- 
Dwork cryptosystem [T] with an additive knapsack. Recently, their cryptosystem 
was broken by Pan and Deng [16] . They presented an iterative method to recover 
the message encrypted by the Cai-Cusick cryptosystem under a ciphertext-only 
scenario. They also present two chosen-ciphertext attacks to get a similar private 
key which acts as the real private key. In another work, with several known attacks 
in mind, very recently Pan et al. [15] introduced a new lattice-based PKE scheme 
mixed with additive knapsack problem which has reasonable key size and quick 
encryption and decryption. Unfortunately, their scheme was broken by Xu et al. 
[19j . They proposed two feasible attacks on the cryptosystem of Pan et al.; the first 
one is a broadcast attack assuming a single encrypted message directed towards 
for several recipients with different public keys, the message can be recovered by 
solving a system of nonlinear equations via linearization technique. The second one 
is a multiple transmission attack in which a single message is encrypted under the 
same public key for several times using different random vectors. In this situation, 
the message can be easier to recover. Very recently, Rasatghi [18] introduced an 
efficient PKE scheme which is robust against man-in-the-middle adversaries for the 
P2P networks. His scheme uses RSA cryptosystem in combination of the additive 
knapsack problem. Since RSA encryption scheme is deterministic and therefore 
does not satisfies CCA2 security requirements, the encryption algorithm uses a 
new padding scheme for encoding input messages in order to secure mixed scheme 
against chosen-ciphertext attack. 

Organization. The rest of this paper is organized as follows: In the next sec- 
tion, we give some mathematical background and definitions. Akleylek et al.'s 
cryptosystem will be presented in section 3. Section 4 presents our cryptanaly- 
sis and in section 5, we modify this cryptosystem to achieve desired security i.e., 
CCA2-security and efficiency. Some conclusion is given in section 6. 



2. Preliminaries 

2.1. Notation. We will use standard notation. If x is a string, then \x\ denotes 
its length. If k £ N, then {0, l} fe denote the set of fc-bit strings, l k denote a string 
of k ones and {0, 1}* denote the set of bit strings of finite length, y <— x denotes 
the assignment to y of the value x. For a set S, s <— S denote the assignment to 
s of a uniformly random clement of 5*. For a deterministic algorithm A, we write 
x <— A (y, z) to mean that x is assigned the output of running A on inputs y and 
z, with access to oracle O. We denote by Pr[£] the probability that the event E 
occurs. 

2.2. Mathematical background. 

Definition 2.1 (Subset sum problem^). Given a set of positive integers (a±, . . . , a n ) 
and a positive integer s. Whether there is a subset of the a^s such that their sums 
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equal to s. That is equivalent to determine whether there are variables (xi, . . . , x n ) 
such that 

n 

s — diXi, Xi E {0, 1}, 1 < i < n. 

i=l 

The subset sum (0—1 knapsack) is a decision problem which is NP-complete. The 
computational version of the subset sum problem is NP-hard |13j 

Definition 2.2 (Super-increasing sequence). The sequence (a±, . . . , a n ) of pos- 
itive integers is a super increasing sequence if ai > Y^j=i a j f° r au * — 2- 

There is an efficient greedy algorithm to solve the subset sum problem if the bts 
are a super-increasing sequence: Just subtract the largest possible value from s 
and repeat. The following algorithm efficiently solves the subset sum problem for 
super-increasing sequences in the polynomial time. 

Algorithm 1 Solving a super-increasing subset sum problem. 

Input: Super-increasing sequence (ai, . . . ,a n ) and an in- 
teger s which is the sum of a subset of the ai. 
Output: (xi , . . . , x n ) where Xi E {0,1}, such that s — 

En 
i=l a i x i- 

(1) i n 

(2) While i > 1 do the following: 

(a) If s > ai, then Xi <— 1 and s 4— s — ai. Other- 
wise Xi <— 0. 

(b) i<-i-l. 

(3) Return (x±, x n ). 

Definition 2.3 (Subset product problerrJl). A set of positive integers (a\, . . . , a n ) 
and a positive integer d are given. Whether there is a subset of the <2j 's such that 
their product equals to d. That is equivalent to determine whether there are vari- 
ables (x\, . . . , x n ) such that 

n 

d = I[ a V, Xi£{0,l}, l<i<n. 
i=i 

The multiplicative knapsack (subset product) problem is a decision problem which 
is NP-complete [TTJ [12] . As observed in [101 HH [121 H3], if the OiS are relatively 
prime, then this problem can be solved in polynomial time by factoring d. Their 
result can be summarized in the following lemma. 

Lemma 2.4. If (a\, 02, . . . , a n ) are relatively prime, then we can solve subset prod- 
uct problem in the polynomial time. 



■^Multiplicative knapsack problem. 
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Proof. Since the a^s are relatively prime and Xi £ {0, 1}, so we have 

if gcd(d,a i ) = a l 
if gcd(d,a 4 ) = l 



f 1 if gcd(d,a 4 ) = a, 
~ \ if ' 



Hence, 

f 1 if di | d 
[ if Ojjd ' ~ ~ 
where gcd means the greatest common divisor. □ 

Definition 2.5 (Discrete logarithm problem (DLP)). Given a prime p, a 
generator g of Z* , and an element y £ Z*. Find integer x, < x < p — 2, such that 

g x = y mod p. 

is called the discrete logarithm problem. 

Fact 2.6. Suppose that g is a generator of Z*. Then b = g % mod p is also a 
generator of Z* z/ and on/y if gcd(i,p — 1)) = 1. 

Definition 2.7. A safe prime p is a prime of the form p = 2q + 1 where q is also 
prime. 



2.3. Definitions. 

Definition 2.8 (Public-key encryption scheme). A PKE scheme is a triple of 
probabilistic polynomial time (PPT) algorithms (Gen, Enc, Dec) such that: 

• Gen is a probabilistic polynomial-time key generation algorithm which takes 
a security parameter 1™ as input and outputs a public key pk and a secret 
key sk. We write (pk, sk) Gen(l"). The public key specifies the message 
space M. and the ciphertext space C. 

• Enc is a (possibly) probabilistic polynomial-time encryption algorithm which 
takes as input a public key pk, am £ M and random coins r, and outputs 
a ciphertext C £C. We write C <— Enc(pk,m;r) to indicate explicitly that 
the random coins r is used and C Enc(pk,m) if fresh random coins are 
used. 

• Dec is a deterministic polynomial-time decryption algorithm which takes as 
input a secret-key sk and a ciphertext C £ C, and outputs either a message 
m £ M. or an error symbol _L. We write m Dec(C, sk). 

• Completeness. For any pair of public and secret keys generated by Gen 
and any message m £ A4 it holds that Dec(sfc, Enc(pfc, m; r)) = m with 
overwhelming probability over the randomness used by Gen and the random 
coins r used by Enc. 

Definition 2.9 (Ciphertext-only attack). A ciphertext-only attack is a scenario 
by which the adversary (or cryptanalyst) tries to deduce the decryption key by only 
observing the ciphertexts or decrypt a challenge ciphertext. 

Attacker knowledge: some y\ = Enc(x\, pk), yi = Enc(x2, pk), 

Attacker goal: obtain xi,x 2 , ■ ■ ■ or the secret-key sk. 
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Any encryption scheme vulnerable to this type of attacks is considered to be com- 
pletely insecure. 

Definition 2.10 (CCA2-security). A PKE scheme is secure against adaptive 
chosen-ciphertext attacks (i.e. IND-CCA2) if the advantage of any two-stage PPT 
adversary A = (Ai, A2) in the following experiment is negligible in the security 
parameter k: 

Exp^|^(fe) : 

(pk, sk) <r- Gen(l fc ) 

(m , mi, state) <— Ai e ^ sk '\pk) s.t. \mo\ = \m\\ 

b ^{0,1} 

C* <— Enc(pk,m b ) 

b' ^^ ec(sfe, ) (C*, state) 

if b = b return 1, else return 0. 

The attacker may query a decryption oracle with a ciphertext C at any point during 
its execution, with the exception that A2 is not allowed to query Dec(sfc, •) with 
challenge ciphertext C* . The decryption oracle returns b' <— _4^ cc ( sfc >') [C* , state). 
The attacker wins the game if b = b' and the probability of this event is defined as 
Pr[Expp^| A (k)}. We define the advantage of A in the experiment as 



'PKE, A 

Adv£f E Ak) = 



Pr[Exp^|^(fc) = l]-i 



2.4. ElGamal Cryptosystem. The ElGamal cryptosystem [S] is a PKE scheme 
based on discrete logarithm problem (DLP) in (Z*, •). Let p ba a large prime such 
that the DLP is infeasible in (Z*, •), and let g G Z* be a primitive element. Each 
user selects a random integer x, 1 < x < p — 2, and computes y = g x mod p. 
(p, g, y) is the public key and x is the secret key. 

For encrypts a message, the sender randomly chooses integer r, 1 < r < p — 2 
and computes C\ — g r , C2 = my r and send C = {C\,C-2) to the receiver. To 
recover message m from ciphertext C, the receiver using private key x computes 
m = CiiC'i ) _1 mod p. 

Altough the ElGamal scheme is randomized, but it not CCA2-secure. An at- 
tacker can pick a random number r' and generate the ciphertext C[ = g r+r , C 2 — 
my r+r = mg x ( r+r \ as the values g and y are known from the public key. The 
attacker can then query for the decryption of this modified ciphertext and receive 
the message m as answer. 



3. Akleylek et al. Cryptosystem 



In this section, we present Akleylek et al. cryptosystem 2.. They wish to increase 
security of proposed cryptosystem by mixing the ElGamal cryptosystem with mul- 
tiplicative knapsack problem. 

(1) Key generation 
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(a) We choose a super-increasing sequence A — (a\, . . . ,a n ), such that 
a i > Si=i a «j ^ < j < n, and all aj's are integer. 

(b) The keys of the ElGamal cryptosystem (y, g, p, x) are calculated, where 
V = 9 X - 

(c) For calculating public knapsack B = (bo, . . . , b n ), randomly select an 
integer k, 1 < k < p — 2 and compute: 

y = g x mod p, Si = g k mod p, 

Ui = y k .ai mod p, bi = (sj,Wj) for 1 < i < n. 

Finally, B = (b\, . . . ,b n ) = ((s\, u±), . . . , (s n , u n )) is the public key and 
(y, g,p, x, (a\, . . . , a n )) is the secret key. 

(2) Encryption 

To encrypt n bit binary message m — (mi, . . . , m n ), we compute 

n 

(3.1) C=(C 1 ,C 2 )=l[(s i ,u i ) m \ 

i=l 

and send ciphertext C to the receiver. 

(3) Decryption 

To decrypt the ciphertext C , the receiver firstly calculates 

(3.2) d = C 2 .{C x i y 1 modp= f ^ modp = IJ«r mod p. 

After calculating d, we must obtain plaintext m = (mi, . . . , m„) from d = 
a™ 1 a™ 2 . . . a" 1 ". Note that itj = y fe .a; mod p = g 21 *.^ mod p = (sj) a .aj 
mod p. 

Remark 3.1. We stress that for the decryption algorithm works, we need to choose 
prime p such that p > H™=i a «> which does not remark on the Akleylek et al.'s 
original paper. We illustrate this with an example in the next subsection. 

3.1. On the Completeness of the Akleylek et al.'s Cryptosystem. The 

Akleylek et al.'s cryptosystem has some ambiguity. Completeness property for a 
PKE scheme (Definition 12.31) guarantees that for any message m € A4 it holds that 
Dec(sk, Enc(pk,m)) = m. In the Akleylek et al.'s cryptosystem, after apply secret 
key we have d — C2-(Cf) -1 mod p — n"=i a i li mod p0, where ai, 1 < i < n 
is a supper-increasing sequence. If the Hamming weight of the input message is 
small, for small a^s we can efficiently retrieve the input messages but for large 
Hamming weight, d is the product of the large subset of the a±, . . . , a n and therefore 
it maybe impossible for the receiver to efficiently recovers m^s from d. The main 
drawback is that the small a^s maybe the divisors of the larger a^s and therefore 
a ciphertext maybe does not decrypted uniquely and has several decryptions. A 
moment's reflection reveals that if we want any ciphertext decrypts uniquely, the 
diS must be pairwise primes. Therefore, super-increasing assumption on the ajS 

4 As we mentioned in Remark 13. II wc suppose that p > PE—i &i and therefore d = 02=1 
mod p = Yl?=i an£ i we have no problem for decrypting the input messages. See Example 13.31 
for more details. 
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is not sufficient for completeness of the PKE scheme and their system does not 
satisfies completeness property. We illustrate our claims with a small example. 

Example 3.2. Suppose (01,02,03,04,05) = (2,3,6,12,24) be a super-increasing 
sequence. Let p — 2579 and g — 2, where g is a generator of ^2579- K we randomly 
choose k = 348 and x = 1500, then we have: 



Suppose (mi, . . . , m§) — (0, 1, 0, 0, 1) be an input message. For encrypts message 
to, we compute C\ — s 2 x s 5 = 104 2 = 10816 and C2 = u 2 x u 5 = 1958 x 
190 = 372020. For decrypt ciphertext C = (10816, 372020), receiver computes d = 
372020 x (10816 1500 mod 2579)" 1 mod 2579 = 372020 x 2483 mod 2579 = 72. 
Based on the super-increasing sequence (2, 3, 6, 12, 24), we have: 72 = 3 x 24 = 



6 x 12 and therefor the input message (0,1,0,0,1) has two decryptions: itself 



and (0,0,1,1,0). Therefor, completeness does not holds for the Akleylek et al.'s 
encryption scheme. 

As we mentioned in Remark 13.11 if p < Jl™=i a ii then the decryption algorithm 
does not works properly. In the previous example, since p > 02 x 05, we have no 
problem for decryption of the input message. 



Example 3.3. Now, consider input message to = (0, 1, 1, 1, 1). For encrypt mes- 
sage to, one computes C\ = s 2 x s 3 x s 4 x s 5 = 104 4 = 116985856 and C 2 = 
M 2 Xtt3Xii 4 x«5 = 47252120300. For decrypt ciphertext (116985856, 27107795330), 
receiver computes d = 27107795330 x (116985856 1500 mod 2579)" 1 mod 2579 = 
47252120300 x 1479 mod 2579 = 26 ^ 3 x 6 x 12 x 24 . It is because 



p = 2579 < a 2 x 03 x a 4 x a 5 = 5184. 

Therefore in such cases, we cannot efficiently retrieve the input messages from the 
corresponding ciphertexts. 

4. Cryptanalysis of the Akleylek et al. Cryptosystem 

In this section, we propose our ciphertext-only attack against Akleylek et al.'s 
cryptosystem to recover message. We also show since encryption algorithm of the 
system is deterministic, therefore cryptosystem is not chosen-ciphertext secure. As 
we previously mentioned, randomness is the necessary property for CCA2 security, 
but it is not sufficient. 

4.1. Ciphertext-only attack. In this subsection, we show that the Akleylek et 
al.'s cryptosystem is vulnerable to ciphertext-only attack. In other words, we can 
obtain message from challenge ciphertext. 



y = g x mod p = 2 1500 mod 2579 = 862, 

Si = g k mod p = 2 348 mod 2579 = 104, 

u 1 =y k x 01 mod p = 862 348 x 2 mod 2579 = 2165, 

u-2 = 1958, u 3 = 1337, u 4 = 95, u 5 = 190. 
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Suppose C = (C\,C2) be any challenge ciphertext which encrypted with this cryp- 
tosystem and we wish to find the corresponding message. From equation 13.11 we 
haveC = (C U C 2 ) =IT?=i (*»,«<)"" = (ai,ui) Tni («2,U2)* n " ■ ■ • (s n ,u n ) m ™. We note 
that the components Sj = g k mod p of the public key are constant respect to i and 
we have 



(4.i) c x = n 



.. x Si 

i=l 



where h = X)"=i mi ^ s ^ ac Hamming weight (the number of rrii = 1) of the input 
message m — (mi,...,m n ). From equation 14.11 we can compute the Hamming 
weight h of the message m = (mi, . . . , m„), as the values Sj and C\ are known. 
Thus, we know the number of the m^s, where m» = 1. From equation 13. 11 we have 

c 2 =n< ii =«i mi x ...x W „ m -, 

i=l 

and therefore from C%, we know the number of the UiS where product of them equal 
to C*2, but we do not know which of them. For obtaining these u,-s, we need to find 
a /i-tuple subset of the (u±, . . . , u n ) from public key B — ((*, ui), ...,(*, u„)) such 
that product of them equals to Ci. We denote this subset by S. One can chooses 
h elements of (ui, . . . ,u n ) in (?) ways. Therefore, we need at most (^) operations 
to find such subset. After obtaining these UjS, we can obtain original message from 
the following equation 

/ 1 if Ui e S . 
m * = { if u^S ' 1 " * ^ n " 

PROBABILITY OF SUCCESS: For small n, we can efficiently compute (™). 
For sufficiently large fixed integer n, we provide an upper bound for (v). 

Lemma 4.1. Suppose that h = Xn is an integer in the range [0,n]. Then 

n \ K 2 »HW i 
XnJ ~ 

where H(\) = — AlgA — (1 — A)lg(l — A) is the binary entropy function and lg is 
the binary logarithm. 

Proof. The statement is trivial if A = or A = 1, so assume that < A < 1. To 
prove the upper bound, by the binomial theorem we have 

{\n) XXn ^ ~ A ) (1 ~ A) " ^ (fc)^ 1 ~ A ) ( "~ fe) < ( A + (! - A ))" = !• 
Hence, 

\Xn) ~ 

□ 



We show that the number of binary strings of length n with Hamming weight 
h = Xn is bounded by 2 nIi{h / n K Thus, the running time of the proposed attack is 
0(2 nH ( h ' r V), and depends on the value of h. For small and large h i.e., for small 
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and large A, if (A) is small and we can efficiently compute (?) for all n. Therefore, if 
the Hamming weight of the input message is either small or large, we can efficiently 
break the cryptosystem for all value of n. H(-) takes the maximum its value on 
A = 1/2, where if (1/2) = 1. Thus, (^) takes the maximum its value if h — n/2 and 
the running time of the attack is 0(2"). Therefore, if n chosen enough large and the 
input message has Hamming weight close to n/2, then the proposed ciphertext-only 
attack seem does not works. But on the other hand, as we stated in subsection 13. 1[ 
for large n, h, completeness is not holds for the encryption scheme. From equation 
EH we have d = n™ =1 a™\ From Lemma OH and [TU1 ED [H H] , when the a l s are 
relatively prime, we can efficiently calculate m^s from d. In the Akleylek et al.'s 
cryptosystem, since the a^s are super-increasing sequence and are not relatively 
prime, so small a,iS are the divisors of the larger a^s. Thus, as we showed in the 
example I3.2[ we cannot uniquely obtain mi, . . . , m„ from equation 13.21 Namely, 
the problem remains NP-complete and we cannot solve it, especially when h, n is 
large, i.e., d is the product of the large subset of the (a\, . . . , a n ). 

As a result, for enough large n we have three cases: 

(a) Input messages with small hamming weight. In theses cases, we can effi- 
ciently compute (^) and therefore we can apply proposed ciphertext-only 
attack in polynomial time. 

(b) Input messages with medium hamming weight, i.e., h is close to n/2. In 
theses cases, (^) takes the maximum its value and if n chosen enough large, 
we cannot efficiently compute it. In such cases, the system has ambiguity 
and completeness does not holds. Therefore, encryption scheme is not 
usable. 

(c) Input messages with large hamming weight. In theses cases, we can effi- 
ciently compute (^) , however, such as previous case, completeness does not 
holds. 



4.2. Chosen ciphertext security. As we previously stated in the introduction 
section, the Akleylek et al.'s PKE scheme is deterministic and therefore does not 
satisfies CCA2 security conditions. Following definition ^. 10[ in the CCA2 security 
experiment, the challenger runs the key generation algorithm and gives the public 
key pk to the adversary. The adversary chooses two messages mo, mi with |mo| = 
mi| and gives it to the challenger. The challenger chooses b £ {0, 1} at random and 
encrypts m^, obtaining the challenge ciphertext C* = Enc p fc(m;,) and gives it to the 
adversary. Since the encryption algorithm is deterministic, thus each message has 
one preimage. Therefore, CCA2 adversary simply can compute encryption of mo 
with public key pk, namely C = Enc p fc(mo), and then compare it with the challenge 
ciphertext. If they are equal then — mo, otherwise = mi. 

We summarize the results in the following table. 

Table 2. Security and Efficiency Analysis of the Akleylek et al.'s Cryptosystem 
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Input Message 


Proposed Attack 


Efficiency 


Security 


With small hamming weight 


Ciphertext-only attack 




Not secure 


With medium hamming weight 


Ciphertext-only attack 


7 1 


» 0(2") 


With large hamming weight 


Ciphertext-only attack 




Not secure 


Any input message 


CCA attack 




Not secure 



1. Completeness does not holds. 



5. Modified Cryptosystem 

In this section, we propose our modified encryption scheme based on the Akleylek 
et al.'s construction. 

• Key generation. On security parameter n, key generator algorithm Gen(l n ): 

(a) Randomly chooses n primes pi and safe prime p = 2q + 1 such that p > 
Yli =1 Pi- It is clear that \p\ ^> n. 

(b) Randomly chooses integers x, k such that 1 < x, k < p— 2 and gcd(k,p— 1) = 
1. Computes 

V = 9 X mod p, 
Si = g h mod p, 
Ui = y k .pi mod p, 

and bi = (sj, it,) for 1 < i < n. Outputs (n,p, (b±, . . . , b n )) as the public key and 
(y, g, x, k, (pi, . . . ,p n )) as the private key. 

Remark 5.1. Note that since gcd(k,p— 1) = 1, from fact 12.61 S{ — g mod p also 
is a generator. 

• Encryption. On inputs m £ Z*, pk, encryption algorithm Enc: 

(a) Uniformly chooses n-bit integer r = (ri, . . . , r n ) € {0, 1}" with r ^ 0, 1 at 
random and computes h = X)"=i r i- 

(b) If r is even then r' <— r + 1, else r' r. 

(c) Computes 

n 

(5.1) Ci = (Ci, C'{) = Y[{s l , Ul ) r ' mod p and C 2 = (m + h) r ' mod p, 

i=l 

and outputs (Ci,C 2 )- 

It is obviously clear that the modified scheme is chosen-plaintext secure. Each mes- 
sage has 2™ corresponding ciphertext, and therefore, the probability of distinguish 
between two message is 2~ n which is negligible. 

• Decryption. In the decryption phase, firstly we recover randomness r' was used 
for encrypts message m from C\, Then r' used to recover message m from Ci- 
It is clear that for correctly recover message m, we must recover exact the same 
randomness r from C\. To recover message m from (Ci, C2), decryption algorithm 
Dec performs as follows: 
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(a) Computes 

FT™ ^ i ". 

d = C'{.{C?y 1 mod^ ^' H ! f modj> = TTp* mod p. 

(b) Since p > Yl™ =1 Pi and fi e {0, 1}, hence n™=iPp m °d P = 117=1 an d 
so we have 

n 

d = \{p?- 

i=l 

Since f,; £ {0, 1}, then d is the product of some distinct primes pi. By 
Lemma \2Al we conclude that 

1 if p l | d . 
if ftfrf - - 

(c) With retrieved randomness f = (f\, . . . ,f n ) and secret key (y, k, (p\, . . . ,p n )), 
computes h = X)"=i ^* an< ^ checks wether 

n 

(5.2) Cr = y fc ^n^ mod ^ 

i=i 

holds (consistency checking) and rejects the ciphertext if not. If it holds 
then r <- f and h <- h. Note that C'{ = n^=i «P mod P = V kh II"=iP? 
mod p. 

(d) If r is even then r' <— r + 1, else r' <s— r. 

(e) Finds integer u>, l<w<p — 2 such that w ■ r' = 1 mod p — 1.0 

(f) Computes rh = ((6*2)™ mod p) — h. 

(g) Checks wether 

(5.3) C* 2 = (m + /i) r ' mod p 

holds (consistency checking) and rejects the ciphertext if not. If it holds 
then outputs m = rh. 

5.1. Security analysis. 

5.1.1. Provable Security. Fhe basic idea of provable security theory [5 is to 
reduce the security of a PKE scheme under some attack model to a mathemati- 
cally hard problem i.e., integer factorization, discrete logarithm problems and NP- 
complete problem such as knapsack problem. Provable security has been widely 
accepted as a standard method for analyzing the security of cryptosy stems. Such 
as original Akleylek et al.'s scheme and previous knapsack-based PKE schemes 
[3 [TH [H] , we fail to obtain any security proof. In this subsection we nonethe- 
less recall certain security-related facts for the clarity of this paper. 

Proposition 5.2. If the discrete logarithm problem (DLP) can be computed very 
efficiently, then the proposed system is not secure. 



^Since [r'| = n < \p\, thus r' < p. r' is odd and p — 1 = 2q is even and has two divisor (2, q), 
therefore, gcd(r',p — 1) = 1 and r' has multiplicative inverse modulo p — 1. 
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Proof. First note that even the DLP is computable, we cannot compute x, k from 
Si = g k mod p, y — g x mod p and Ui = y k -pi mod p, since (y, g, x, k,(pi, . . . ,p n )) 
is secret. 

In the modified cryptosystem, we have 

n 

C[ = Y[ s \ % mod p = sj" i=1 r * mod p — s\ mod p, 

i=l 

where h = X)T=i r i anc ^ s * ~ 9 k m °d p is a generator of Z*. If the DLP is com- 
putable, then we can determine Hamming weight h from C[ — mod p. Accord- 
ing to the discussion in subsection 14.11 then the modified scheme is vulnerable to 
ciphertext-only attack if n, h are small or h is large. In such cases, the adversary can 
retrieve randomness r from C\ = (C[, C") and then recover to from C2 = (m + h) r 
mod p. Even if the DLP is computable, then the proposed scheme is not completely 
breaks. The ciphertext-only attack will works for small (n, h) and large h. It cannot 
not break system for large n with medium Hamming weight. □ 

Proposition 5.3. If a certain special knapsack-type problem can be solved very 
efficiently, then the proposed system is not secure. 

Proof. Given p, u± , . . . , u n and a ciphertext C\ = (C[ , C") , we want to find a subset 
T of {1, . . . , n} such that 

(5.4) Y[ u * modp^C*". 

Then we can immediately recover randomness r from C" and then compute message 
to from C2 = (to + h) r mod p. Finding such a subset T is a kind of knapsack 
problem. □ 

Note congruence 15.41 is a disguised version of the easy knapsack-type problem of 
finding a subset T of {1, . . . , n} such that 

Y[ Pl mo&p = C'{.{C' l x )- 1 modp, 

which we solve by computing gcd((C".(C( ;E ) _1 mod p),Pi) for £ = 1,2,... . 

Birthday Attack. If prime p is chosen too small, then from inequality p > 
n™=o?' i ' ^ follows that n is small. Hence p must be sufficiently large to prevent 
birthday-search through two lists A and B of 2 71 / 2 elements to find a couple of sets 
such that: 

\{u i = ([{u i )- 1 .C , l modp. 

ieA ieB 

Therefore n must be chosen such that the adversary's running time is significantly 
smaller than 2 n / 2 steps. 

5.1.2. CCA2 Security. In this subsection, we show that the modified scheme 
satisfies CCA2 security. As we showed in subsection 12. 41 the ElGamal system is not 
CCA2-secure. It is because values g,y are public. Unlike the ElGamal system, in 
the modified system values [y, g, x, k, (pi, . . . ,p n )) are secret and we cannot perform 
any modification to the (C[,C") in order to retrieve randomness r. Even if we can 
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perform any modifications to the challenge ciphertext, then the maliciously- formed 
ciphertexts will be rejected in the scheme's consistency checking step in (|5.2j) . If 
we can retrieve randomness r, then we can simply recover message to. 

Theorem 5.4. If the mixed ElGamal-Knapsack encryption scheme is secure, then 
the modified PKE scheme satisfies CCA2 security in the standard model. 

Proof. In the proof of security, we exploit the fact that for a well- formed ciphertext, 
we can recover the message if we know the randomness r that was used to create 
the ciphertext. 

In the CCA2 experiment (Definition ^. 10[) . the challenger runs the key generation 
algorithm and gives the public key pk to the adversary. 

Challenge Ciphertext. The adversary chooses two messages mo, mi with mo — 
mi| and gives it to the challenger. The challenger chooses b £ {0,1} at random, 
randomness r* and encrypts mb, obtaining the challenge ciphertext C* = (C*, CvJ), 
where C\ — IliLi^' u iY i m od p and C| = (mj + h*) r mod p and gives it to 
the adversary, where h* is the Hamming weight of the randomness r* . We denote 
by r* the corresponding intermediate quantity chosen by the challenger. 

The challenger has to simulate the decryption oracle. The CCA2 adversary submits 
a request C — (Ci, Ci) to the challenger, and it outputs decryption of the queried 
ciphertext to the adversary. He attempts to guess the challenge bit b based on the 
output of the challenger. In the CCA2 experiment, the adversary is not allowed 
to ask the decryption of the challenge ciphertext, but can obtain the decryption of 
any modified ones based on the challenge ciphertext. 

To investigate CCA security experiment, we consider two potential cases chosen by 
the adversary for querying from the challenger. We also show that any modifica- 
tion to the challenge ciphertext does not reveal any useful information about the 
challenge message m&. 

Case 1: C\ = C\ and Ci ^ Cf . In this case, the adversary chooses Ci at random 
and queries on ciphertext [C\, Ci). The challenger takes as input (C*, Ci) and com- 
putes r = Dec pfc (CJ) = r* , h = h* and r> = r'*. It also computes to = ((C 2 ) lnv(r '* ) 
mod p) - h* ^ ((C!) lnv ( r '*) mod p) - h* — m b , where Inv(r') = (r') _1 mod p — 1 
is the multiplicative inverse of r. Since C| = (irib + h*) r mod p =/= (to + h*) r 
mod p, thus the simulator rejects the ciphertext in (|5.3I) . Therefore, the system 
does not reveal any information about the challenge message m b , and so, advan- 
tage of the adversary to guess the challenge bit b in this case is zero. 
In this case, the adversary cannot perform any modification to Ci based on C^ in 
order to retrieve 777,5, since he does not know the internal random component r* 
was chosen by the challenger for encrypts m b - 

Case 2: C\ ^ C* and C2 = C|. In this case, the adversary chooses C\ at ran- 
dom and queries on ciphertext (Ci,C|). The challenger takes as input (Ci,C|) 
and computes r = Dec p fc(Ci). Since encryption algorithm of C\ is determin- 
istic, therefore any randomness r has one preimage. Thus if C\ 7^ C\, then 
r = DeCpfc(Ci) ^ Dec p fc(C*) = r*. In the worst case, we assume r and r* 
have the same Hamming weight, namely h — h* . So, we have rh = ((C , 2)' nv ' r ^ 
mod p) — h* ^ ((C2) lnv ^ r ' mod p) — h* = m^. Hence, the simulator rejects the 
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ciphertext in (|5.3|) . since = (jnb + h*) r mod p ^ (m + h*) r mod p. There- 
fore, the encryption scheme does not reveal any information about the challenge 
message mb and so, advantage of the adversary to guess the challenge bit b in this 
case is zero. 

As shown in [18], in the knapsack-based PKE schemes, CCA2 adversary cannot 
efficiently produces legitimate ciphertext based on C* . As shown in [18] , the prob- 
ability of succeed adversary for retrieve r with one bit differ from r'* is 1 /2n which 
is smaller than 1/2 (note in general, the probability of guessing b is 1/2; 6 = 
or b = 1). We stress that even if the adversary can computes r with probability 
greater than 1/2, then since the retrieved randomness r is not equal to r* (differ 
from one bit), therefore m = ((C|) lnv ( r ' mod p) — h* is not equal to m&, where 
we assume r and r* have the same Hamming weight. So, as we state above, the 
simulator will rejects the ciphertext in (|5.3[) . □ 

6. Conclusion 

In this paper, we consider a knapsack-based PKE scheme mixed with the ElGamal 
cryptosystem. This cryptosystem uses the ElGamal system in the key generation 
stage to disguise the secure knapsack (super-increasing sequence) in order to pro- 
duce the public knapsack. It uses subset product (multiplicative knapsack) problem 
as encryption function which is NP-complete problem. We showed that this combi- 
nation leaks the security and makes the cryptosystem vulnerable to ciphertext-only 
attack. In addition, since encryption algorithm for the mentioned scheme is de- 
terministic, therefore it does not satisfy CCA2 security requirements. Thus, the 
resulting encryption scheme is also vulnerable to man-in-the-middle attack, and 
therefore, the scheme is not suitable to implement in a P2P network. Besides, as 
we showed, completeness property does not holds for the system in the general. 
We modified this cryptosystem to improve its security and efficiency. The modified 
scheme is CCA2-secure and the proposed ciphertext-only attack is not applicable. 
Completeness holds for all cases and each ciphertext decrypts uniquely. 
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